1.要求：
（1）总部实现高可靠性设计，接入层断掉一根线或汇聚、核心设备故障都不能影响数据正常转发
（2）分部1人数较少，采用单臂路由互通
（3）总部、分部1、2之间都能访问互联网
（4）外网能够访问总部的HTTP server 和FTP server
（5）总部和两个分部之间通过DSVPN实现内网互通
2.总部配置
（1）创建vlan并加入接口，将核心交换机之间链路捆绑为e-trunk，确保任何一台故障时另一台能正常转发数据
[LSW3]vlan batch 10 20 30
[LSW3]int g0/0/3
[LSW3-GigabitEthernet0/0/3]port link-type access
[LSW3-GigabitEthernet0/0/3]port default vlan 10
[LSW3-GigabitEthernet0/0/3]int g0/0/1
[LSW3-GigabitEthernet0/0/1]port link-type trunk
[LSW3-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 30
[LSW3-GigabitEthernet0/0/1]int g0/0/2
[LSW3-GigabitEthernet0/0/2]port link-type trunk
[LSW3-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20 30
[LSW4]vlan batch 10 20 30
[LSW4]int g0/0/3
[LSW4-GigabitEthernet0/0/3]port link-type access
[LSW4-GigabitEthernet0/0/3]port default vlan 20
[LSW4-GigabitEthernet0/0/3]int g0/0/1
[LSW4-GigabitEthernet0/0/1]port link-type trunk
[LSW4-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 30
[LSW4-GigabitEthernet0/0/1]int g0/0/2
[LSW4-GigabitEthernet0/0/2]port link-type trunk
[LSW4-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20 30
[LSW5]vlan batch 10 20 30
[LSW5]int g0/0/3
[LSW5-GigabitEthernet0/0/3]port link-type access
[LSW5-GigabitEthernet0/0/3]port default vlan 30
[LSW5-GigabitEthernet0/0/3]int g0/0/1
[LSW5-GigabitEthernet0/0/1]port link-type trunk
[LSW5-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 30
[LSW5-GigabitEthernet0/0/1]int g0/0/2
[LSW5-GigabitEthernet0/0/2]port link-type trunk
[LSW5-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20 30
[LSW1]vlan batch 10 20 30 11 12
[LSW1]int g0/0/1
[LSW1-GigabitEthernet0/0/1]port link-type access
[LSW1-GigabitEthernet0/0/1]port default vlan 11
[LSW1-GigabitEthernet0/0/1]int g0/0/2
[LSW1-GigabitEthernet0/0/2]port link-type access
[LSW1-GigabitEthernet0/0/2]port default vlan 12
[LSW1-GigabitEthernet0/0/2]int g0/0/3
[LSW1-GigabitEthernet0/0/3]port link-type trunk
[LSW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 20 30 11 12
[LSW1-GigabitEthernet0/0/3]int g0/0/4
[LSW1-GigabitEthernet0/0/4]port link-type trunk
[LSW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 10 20 30 11 12 13 14
[LSW1-GigabitEthernet0/0/4]int g0/0/5
[LSW1-GigabitEthernet0/0/5]port link-type trunk
[LSW1-GigabitEthernet0/0/5]port trunk allow-pass vlan 10 20 30 11 12 13 14
[LSW1-GigabitEthernet0/0/5]quit
[LSW1]int Eth-Trunk 1
[LSW1-Eth-Trunk1]trunkport GigabitEthernet 0/0/6 to 0/0/7
[LSW1-Eth-Trunk1]port link-type trunk
[LSW1-Eth-Trunk1]port trunk allow-pass vlan 10 20 30 11 12 13 14
[LSW2]vlan batch 10 20 30 13 14
[LSW2]int g0/0/1
[LSW2-GigabitEthernet0/0/1]port link-type access
[LSW2-GigabitEthernet0/0/1]port default vlan 14
[LSW2-GigabitEthernet0/0/1]int g0/0/2
[LSW2-GigabitEthernet0/0/2]port link-type access
[LSW2-GigabitEthernet0/0/2]port default vlan 13
[LSW2-GigabitEthernet0/0/2]int g0/0/3
[LSW2-GigabitEthernet0/0/3]port link-type t
[LSW2-GigabitEthernet0/0/3]port link-type trunk
[LSW2-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 20 30 11 12 13 14
[LSW2-GigabitEthernet0/0/3]int g0/0/4
[LSW2-GigabitEthernet0/0/4]port link-type trunk
[LSW2-GigabitEthernet0/0/4]port trunk allow-pass vlan 10 20 30 11 12 13 14
[LSW2-GigabitEthernet0/0/4]int g0/0/5
[LSW2-GigabitEthernet0/0/5]port link-type trunk
[LSW2-GigabitEthernet0/0/5]port trunk allow-pass vlan 10 20 30 11 12 13 14
[LSW2-GigabitEthernet0/0/5]quit
[LSW2]int Eth-Trunk 1
[LSW2-Eth-Trunk1]trunkport GigabitEthernet 0/0/6 to 0/0/7
[LSW2-Eth-Trunk1]port link-type trunk
[LSW2-Eth-Trunk1]port trunk allow-pass vlan 10 20 30 11 12 13 14

（2）配置MSTP破除环路：LSW1为vlan 10 20的根桥、vlan 30 的次根，LSW2为vlan 30的根桥、vlan 10 20的次根；将连接终端的接口配置为边缘端口
[LSW1]stp region-configuration
[LSW1-mst-region]region-name 1
[LSW1-mst-region]revision-level 1
[LSW1-mst-region]instance 1 vlan 10 20
[LSW1-mst-region]instance 2 vlan 30
[LSW1-mst-region]active region-configuration
[LSW1]stp instance 1 priority 0
[LSW1]stp instance 2 priority 4096

[LSW2]stp region-configuration
[LSW2-mst-region]region-name 1
[LSW2-mst-region]revision-level 1
[LSW2-mst-region]instance 1 vlan 10 20
[LSW2-mst-region]instance 2 vlan 30
[LSW2-mst-region]active region-configuration
[LSW2]stp instance 1 priority 4096
[LSW2]stp instance 2 priority 0

[LSW3]stp region-configuration
[LSW3-mst-region]region-name 1
[LSW3-mst-region]revision-level 1
[LSW3-mst-region]instance 1 vlan 10 20
[LSW3-mst-region]instance 2 vlan 30
[LSW3-mst-region]active region-configuration
[LSW3-mst-region]quit
[LSW4]stp region-configuration
[LSW4-mst-region]region-name 1
[LSW4-mst-region]revision-level 1
[LSW4-mst-region]instance 1 vlan 10 20
[LSW4-mst-region]instance 2 vlan 30
[LSW4-mst-region]active region-configuration
[LSW4-mst-region]quit
[LSW5]stp region-configuration
[LSW5-mst-region]region-name 1
[LSW5-mst-region]revision-level 1
[LSW5-mst-region]instance 1 vlan 10 20
[LSW5-mst-region]instance 2 vlan 30
[LSW5-mst-region]active region-configuration

[LSW3]int g0/0/3
[LSW3-GigabitEthernet0/0/3]stp edged-port enable
[LSW4]int g0/0/3
[LSW4-GigabitEthernet0/0/3]stp edged-port enable
[LSW5]int g0/0/3
[LSW5-GigabitEthernet0/0/3]stp edged-port enable
（3）配置vlan间路由，使内网互通：配置vrrp，LSW1为vlan 10 20的master、为vlan 30的backup，LSW2为vlan 10 20的backup、为vlan 30的master
[LSW1]int Vlanif 10
[LSW1-Vlanif10]ip add 10.1.1.1 24
[LSW1-Vlanif10]int Vlanif 20
[LSW1-Vlanif20]ip add 10.1.2.1 24
[LSW1-Vlanif20]int Vlanif 30
[LSW1-Vlanif30]ip add 10.1.3.1 24
[LSW2]int Vlanif 10
[LSW2-Vlanif10]ip add 10.1.1.2 24
[LSW2-Vlanif10]int Vlanif 20
[LSW2-Vlanif20]ip add 10.1.2.2 24
[LSW2-Vlanif20]int Vlanif 30
[LSW2-Vlanif30]ip add 10.1.3.2 24
[LSW1]int Vlanif 10
[LSW1-Vlanif10]vrrp vrid 1 virtual-ip 10.1.1.254
[LSW1-Vlanif10]vrrp vrid 1 priority 200
[LSW1-Vlanif10]vrrp vrid 1 preempt-mode timer delay 60
[LSW1-Vlanif10]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 120
[LSW1]int Vlanif 20
[LSW1-Vlanif20]vrrp vrid 2 virtual-ip 10.1.2.254
[LSW1-Vlanif20]vrrp vrid 2 priority 200
[LSW1-Vlanif20]vrrp vrid 2 preempt-mode timer delay 60
[LSW1-Vlanif20]vrrp vrid 2 track interface GigabitEthernet 0/0/1 reduced 120
[LSW1]int Vlanif 30
[LSW1-Vlanif30]vrrp vrid 3 virtual-ip 10.1.3.254
[LSW2]int Vlanif 10
[LSW2-Vlanif10]vrrp vrid 1 virtual-ip 10.1.1.254
[LSW2-Vlanif10]int Vlanif 20
[LSW2-Vlanif20]vrrp vrid 2 virtual-ip 10.1.2.254
[LSW2-Vlanif20]int Vlanif 30
[LSW2-Vlanif30]vrrp vrid 3 virtual-ip 10.1.3.254
[LSW2-Vlanif30]vrrp vrid 3 priority 200
[LSW2-Vlanif30]vrrp vrid 3 preempt-mode timer delay 60
[LSW2-Vlanif30]vrrp vrid 3 track interface GigabitEthernet 0/0/1 reduced 120

（4）配置三层互联接口
[LSW1]int Vlanif 11
[LSW1-Vlanif11]ip add 192.168.11.1 24
[LSW1-Vlanif11]int Vlanif 12
[LSW1-Vlanif12]ip add 192.168.12.1 24
[LSW2]int Vlanif 13
[LSW2-Vlanif13]ip add 192.168.13.2 24
[LSW2-Vlanif13]int Vlanif 14
[LSW2-Vlanif14]ip add 192.168.14.2 24
[FW1]firewall zone trust
[FW1-zone-trust]add interface GigabitEthernet 1/0/2
[FW1-zone-trust]add interface GigabitEthernet 1/0/0
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface GigabitEthernet 1/0/1
[FW1-zone-untrust]firewall zone dmz
[FW1-zone-dmz]add interface GigabitEthernet 1/0/3
[FW1-zone-dmz]add interface GigabitEthernet 1/0/4
[FW1]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip add 20.1.1.3 24
[FW1-GigabitEthernet1/0/1]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip add 192.168.13.3 24
[FW1-GigabitEthernet1/0/0]int g1/0/2
[FW1-GigabitEthernet1/0/2]ip add 192.168.11.3 24
[FW1-GigabitEthernet1/0/2]int g1/0/3
[FW1-GigabitEthernet1/0/3]ip add 192.168.15.3 24
[FW1-GigabitEthernet1/0/3]int g1/0/4
[FW1-GigabitEthernet1/0/4]ip add 192.168.16.3 24

[AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]ip add 192.168.12.4 24
[AR2-GigabitEthernet0/0/0]int g0/0/1
[AR2-GigabitEthernet0/0/1]ip add 192.168.14.4 24
[AR2-GigabitEthernet0/0/1]int g0/0/2
[AR2-GigabitEthernet0/0/2]ip add 20.1.1.4 24
[AR1]int g4/0/0
[AR1-GigabitEthernet4/0/0]ip add 50.1.1.5 24
[AR1-GigabitEthernet4/0/0]int g0/0/1
[AR1-GigabitEthernet0/0/1]ip add 30.1.1.5 24
[AR1-GigabitEthernet0/0/1]int g0/0/2
[AR1-GigabitEthernet0/0/2]ip add 40.1.1.5 24
[AR1-GigabitEthernet0/0/2]int g0/0/0
[AR1-GigabitEthernet0/0/0]ip add 20.1.1.5 24
（5）配置DMZ区域
1）配置vlan
[LSW10]vlan batch 100 101
[LSW10]int g0/0/3
[LSW10-GigabitEthernet0/0/3]port link-type access
[LSW10-GigabitEthernet0/0/3]port default vlan 100
[LSW10-GigabitEthernet0/0/3]int g0/0/4
[LSW10-GigabitEthernet0/0/4]port link-type access
[LSW10-GigabitEthernet0/0/4]port default vlan 101
[LSW10-GigabitEthernet0/0/4]int g0/0/1
[LSW10-GigabitEthernet0/0/1]port link-type trunk
[LSW10-GigabitEthernet0/0/1]port trunk allow-pass vlan 100 101
[LSW10-GigabitEthernet0/0/1]int g0/0/2
[LSW10-GigabitEthernet0/0/2]port link-type trunk
[LSW10-GigabitEthernet0/0/2]port trunk allow-pass vlan 100 101
[LSW8]vlan batch 15 100 101
[LSW8]int g0/0/1
[LSW8-GigabitEthernet0/0/1]port link-type access
[LSW8-GigabitEthernet0/0/1]port default vlan 15
[LSW8-GigabitEthernet0/0/1]int g0/0/2
[LSW8-GigabitEthernet0/0/2]port link-type trunk
[LSW8-GigabitEthernet0/0/2]port trunk allow-pass vlan 15 100 101
[LSW8-GigabitEthernet0/0/2]quit
[LSW8]int Eth-Trunk 1
[LSW8-Eth-Trunk1]trunkport GigabitEthernet 0/0/3 to 0/0/4
[LSW8-Eth-Trunk1]port link-type trunk
[LSW8-Eth-Trunk1]port trunk allow-pass vlan 15 100 101
[LSW9]vlan batch 16 100 101
[LSW9]int g0/0/1
[LSW9-GigabitEthernet0/0/1]port link-type access
[LSW9-GigabitEthernet0/0/1]port default vlan 16
[LSW9-GigabitEthernet0/0/1]int g0/0/2
[LSW9-GigabitEthernet0/0/2]port link-type trunk
[LSW9-GigabitEthernet0/0/2]po
[LSW9-GigabitEthernet0/0/2]port trunk allow-pass vlan 16 100 101
[LSW9-GigabitEthernet0/0/2]quit
[LSW9]int Eth-Trunk 1
[LSW9-Eth-Trunk1]trunkport GigabitEthernet 0/0/3 to 0/0/4
[LSW9-Eth-Trunk1]port link-type trunk
[LSW9-Eth-Trunk1]port trunk allow-pass vlan 16 100 101
2）配置MSTP（要求vlan 100的根桥为LSW8，vlan 101的根桥为LSW9）
[LSW10]stp region-configuration
[LSW10-mst-region]region-name DMZ1
[LSW10-mst-region]revision-level 1
[LSW10-mst-region]instance 1 vlan 100
[LSW10-mst-region]instance 2 vlan 101
[LSW10-mst-region]active region-configuration
[LSW8]stp region-configuration
[LSW8-mst-region]region-name DMZ1
[LSW8-mst-region]revision-level 1
[LSW8-mst-region]instance 1 vlan 100
[LSW8-mst-region]instance 2 vlan 101
[LSW8-mst-region]active region-configuration
[LSW9]stp region-configuration
[LSW9-mst-region]region-name DMZ1
[LSW9-mst-region]revision-level 1
[LSW9-mst-region]instance 1 vlan 100
[LSW9-mst-region]instance 2 vlan 101
[LSW9-mst-region]active region-configuration
[LSW8]stp instance 1 priority 0
[LSW8]stp instance 2 priority 4096
[LSW9]stp instance 1 priority 4096
[LSW9]stp instance 2 priority 0

[LSW10]int g0/0/3
[LSW10-GigabitEthernet0/0/3]stp edged-port enable
[LSW10-GigabitEthernet0/0/3]int g0/0/4
[LSW10-GigabitEthernet0/0/4]stp edged-port enable
3）配置VLAN间路由
[LSW8]int Vlanif 15
[LSW8-Vlanif15]ip add 192.168.15.1 24
[LSW8]int Vlanif 100
[LSW8-Vlanif100]ip add 10.1.100.1 24
[LSW8-Vlanif100]int Vlanif 101
[LSW8-Vlanif101]ip add 10.1.101.1 24
[LSW9]int Vlanif 16
[LSW9-Vlanif16]ip add 192.168.16.2 24
[LSW9]int Vlanif 100
[LSW9-Vlanif100]ip add 10.1.100.2 24
[LSW9-Vlanif100]int Vlanif 101
[LSW9-Vlanif101]ip add 10.1.101.2 24
4）配置VRRP，保证链路备份
[LSW8]int Vlanif 100
[LSW8-Vlanif100]vrrp vrid 1 virtual-ip 10.1.100.254
[LSW8-Vlanif100]vrrp vrid 1 priority 200
[LSW8-Vlanif100]vrrp vrid 1 preempt-mode timer delay 60
[LSW8-Vlanif100]vrrp vrid 1 track interface g0/0/1 reduced 120
[LSW8-Vlanif100]quit
[LSW8]int Vlanif 101
[LSW8-Vlanif101]vrrp vrid 2 virtual-ip 10.1.101.254
[LSW9]int Vlanif 100
[LSW9-Vlanif100]vrrp vrid 1 virtual-ip 10.1.100.254
[LSW9-Vlanif100]int Vlanif 101
[LSW9-Vlanif101]vrrp vrid 2 virtual-ip 10.1.101.254
[LSW9-Vlanif101]vrrp vrid 2 preempt-mode timer delay 60
[LSW9-Vlanif101]vrrp vrid 2 priority 200
[LSW9-Vlanif101]vrrp vrid 2 track interface g0/0/1 reduced 120

（6）配置全网路由：将总部在OSFP的area 0区域，服务器在 area 1区域，分部1在area 2区域，分部2在area 3区域
1）配置OSPF
[LSW1]ospf 1 router-id 11.1.1.1
[LSW1-ospf-1]area 0
[LSW1-ospf-1-area-0.0.0.0]ne
[LSW1-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]network 10.1.2.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]network 10.1.3.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]network 192.168.11.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]network 192.168.12.0 0.0.0.255
[LSW2]ospf 1 router-id 22.1.1.1
[LSW2-ospf-1]area 0
[LSW2-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[LSW2-ospf-1-area-0.0.0.0]network 10.1.2.0 0.0.0.255
[LSW2-ospf-1-area-0.0.0.0]network 10.1.3.0 0.0.0.255
[LSW2-ospf-1-area-0.0.0.0]network 192.168.13.0 0.0.0.255
[LSW2-ospf-1-area-0.0.0.0]network 192.168.14.0 0.0.0.255
[FW1]ospf router-id 33.1.1.1
[FW1-ospf-1]ospf 1
[FW1-ospf-1]area 0
[FW1-ospf-1-area-0.0.0.0]network 192.168.11.0 0.0.0.255
[FW1-ospf-1-area-0.0.0.0]network 192.168.13.0 0.0.0.255
[FW1-ospf-1-area-0.0.0.0]network 192.168.15.0 0.0.0.255
[FW1-ospf-1-area-0.0.0.0]network 192.168.16.0 0.0.0.255
[AR2]ospf router-id 44.1.1.1
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]network 192.168.12.0 0.0.0.255
[AR2-ospf-1-area-0.0.0.0]network 192.168.14.0 0.0.0.255
[LSW8]ospf router-id 111.1.1.1
[LSW8-ospf-1]area 0
[LSW8-ospf-1-area-0.0.0.0]network 192.168.15.0 0.0.0.255
[LSW8-ospf-1-area-0.0.0.0]area 1
[LSW8-ospf-1-area-0.0.0.1]network 10.1.100.0 0.0.0.255
[LSW8-ospf-1-area-0.0.0.1]network 10.1.101.0 0.0.0.255
[LSW9]ospf router-id 222.1.1.1
[LSW9-ospf-1]area 0
[LSW9-ospf-1-area-0.0.0.0]net
[LSW9-ospf-1-area-0.0.0.0]network 192.168.16.0 0.0.0.255
[LSW9-ospf-1-area-0.0.0.0]area 1
[LSW9-ospf-1-area-0.0.0.1]network 10.1.101.0 0.0.0.255
[LSW9-ospf-1-area-0.0.0.1]network 10.1.100.0 0.0.0.255
2）将vlanif接口静默
[LSW1]ospf 1
[LSW1-ospf-1]silent-interface Vlanif 10
[LSW1-ospf-1]silent-interface Vlanif 20
[LSW1-ospf-1]silent-interface Vlanif 30
[LSW2]ospf 1
[LSW2-ospf-1]silent-interface Vlanif 10
[LSW2-ospf-1]silent-interface Vlanif 20
[LSW2-ospf-1]silent-interface Vlanif 30
[LSW8-ospf-1]silent-interface Vlanif 100
[LSW8-ospf-1]silent-interface Vlanif 101
[LSW9-ospf-1]silent-interface Vlanif 100
[LSW9-ospf-1]silent-interface Vlanif 101

（7）配置trust到dmz的安全策略
[FW1]security-policy
[FW1-policy-security]rule name t-to-dmz
[FW1-policy-security-rule-t-to-dmz]source-zone trust
[FW1-policy-security-rule-t-to-dmz]source-address 10.1.0.0 16
[FW1-policy-security-rule-t-to-dmz]destination-zone dmz
[FW1-policy-security-rule-t-to-dmz]action permit

（8）配置 NAT
[FW1]nat-policy
[FW1-policy-nat]rule name to-ISP
[FW1-policy-nat-rule-to-ISP]source-zone trust
[FW1-policy-nat-rule-to-ISP]destination-zone untrust
[FW1-policy-nat-rule-to-ISP]source-address 10.1.0.0 16
[FW1-policy-nat-rule-to-ISP]action source-nat easy-ip
[FW1]security-policy
[FW1-policy-security]rule name to-ISP
[FW1-policy-security-rule-to-ISP]source-zone trust
[FW1-policy-security-rule-to-ISP]destination-zone untrust
[FW1-policy-security-rule-to-ISP]source-address 10.1.0.0 16
[FW1-policy-security-rule-to-ISP]action permit
[FW1]ip route-static 0.0.0.0 0.0.0.0 20.1.1.5
[FW1]ospf 1
[FW1-ospf-1]default-route-advertise

（9）公网访问 dmz 区域的 http 服务和 FTP 服务：通过 nat-server 进行映射
[FW1]nat server protocol tcp global 20.1.1.100 80 inside 10.1.100.10 80
[FW1]nat server protocol tcp global 20.1.1.101 21 inside 10.1.101.10 21
[FW1]security-policy
[FW1-policy-security]rule name u-to-dmz
[FW1-policy-security-rule-u-to-dmz]source-zone untrust
[FW1-policy-security-rule-u-to-dmz]destination-zone dmz
[FW1-policy-security-rule-u-to-dmz]destination-address 10.1.100.10 32
[FW1-policy-security-rule-u-to-dmz]destination-address 10.1.101.10 32
[FW1-policy-security-rule-u-to-dmz]action permit

4.分部1的配置：单臂路由和NAT
（1）单臂路由配置
[LSW11]vlan batch 10 20
[LSW11]int g0/0/2
[LSW11-GigabitEthernet0/0/2]port link-type access
[LSW11-GigabitEthernet0/0/2]port default vlan 10
[LSW11-GigabitEthernet0/0/2]int g0/0/3
[LSW11-GigabitEthernet0/0/3]port link-type access
[LSW11-GigabitEthernet0/0/3]port default vlan 20
[LSW11-GigabitEthernet0/0/3]int g0/0/1
[LSW11-GigabitEthernet0/0/1]port link-type trunk
[LSW11-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20
[AR4]int g0/0/1.10
[AR4-GigabitEthernet0/0/1.10]dot1q termination vid 10
[AR4-GigabitEthernet0/0/1.10]arp broadcast enable
[AR4-GigabitEthernet0/0/1.10]ip add 10.2.1.1 2
[AR4-GigabitEthernet0/0/1.10]int g0/0/1.20
[AR4-GigabitEthernet0/0/1.20]dot1q termination vid 20
[AR4-GigabitEthernet0/0/1.20]arp broadcast enable
[AR4-GigabitEthernet0/0/1.20]ip add 10.2.2.1 24
[AR4]int g0/0/0
[AR4-GigabitEthernet0/0/0]ip add 40.1.1.1 24
[AR4]ip route-static 0.0.0.0 0.0.0.0 40.1.1.5
[AR4]acl 2000
[AR4-acl-basic-2000]rule permit source 10.2.0.0 0.0.255.255
[AR4-acl-basic-2000]int g0/0/0
[AR4-GigabitEthernet0/0/0]nat outbound 2000

5.分部2的配置
（1）配置vlan
[LSW13]vlan batch 10 20 17
[LSW13]int g0/0/1
[LSW13-GigabitEthernet0/0/1]port link-type access
[LSW13-GigabitEthernet0/0/1]port default vlan 17
[LSW13-GigabitEthernet0/0/1]int g0/0/2
[LSW13-GigabitEthernet0/0/2]port link-type trunk
[LSW13-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20 17
[LSW13-GigabitEthernet0/0/2]int g0/0/3
[LSW13-GigabitEthernet0/0/3]port link-type trunk
[LSW13-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 20 17
[LSW13-GigabitEthernet0/0/3]quit
[LSW13]int Eth-Trunk 1
[LSW13-Eth-Trunk1]trunkport GigabitEthernet 0/0/4 to 0/0/5
[LSW13-Eth-Trunk1]port link-type trunk
[LSW13-Eth-Trunk1]port trunk allow-pass vlan 10 20 17
[LSW14]vlan batch 10 20 18
[LSW14]int g0/0/1
[LSW14-GigabitEthernet0/0/1]port link-type access
[LSW14-GigabitEthernet0/0/1]port default vlan 18
[LSW14-GigabitEthernet0/0/1]int g0/0/2
[LSW14-GigabitEthernet0/0/2]port link-type trunk
[LSW14-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20 18
[LSW14-GigabitEthernet0/0/2]int g0/0/3
[LSW14-GigabitEthernet0/0/3]port link-type trunk
[LSW14-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 20 18
[LSW14-GigabitEthernet0/0/3]quit
[LSW14]int Eth-Trunk 1
[LSW14-Eth-Trunk1]trunkport GigabitEthernet 0/0/4 to 0/0/5
[LSW14-Eth-Trunk1]port link-type trunk
[LSW14-Eth-Trunk1]port trunk allow-pass vlan 10 20 18
[LSW15]vlan batch 10 20
[LSW15]int g0/0/3
[LSW15-GigabitEthernet0/0/3]port link-type access
[LSW15-GigabitEthernet0/0/3]port default vlan 10
[LSW15-GigabitEthernet0/0/3]int g0/0/1
[LSW15-GigabitEthernet0/0/1]port link-type trunk
[LSW15-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20
[LSW15-GigabitEthernet0/0/1]int g0/0/2
[LSW15-GigabitEthernet0/0/2]port link-type trunk
[LSW15-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20
[LSW16]vlan batch 10 20
[LSW16]int g0/0/3
[LSW16-GigabitEthernet0/0/3]port link-type access
[LSW16-GigabitEthernet0/0/3]port default vlan 20
[LSW16-GigabitEthernet0/0/3]int g0/0/1
[LSW16-GigabitEthernet0/0/1]port link-type trunk
[LSW16-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20
[LSW16-GigabitEthernet0/0/1]int g0/0/2
[LSW16-GigabitEthernet0/0/2]port link-type trunk
[LSW16-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20
（2）配置MSTP：LSW13为vlan 10的主根、vlan 20的次根，LSW14为vlan 20的主根、vlan 10的次根
[LSW13]stp region-configuration
[LSW13-mst-region]region-name FB2
[LSW13-mst-region]revision-level 1
[LSW13-mst-region]instance 1 vlan 10
[LSW13-mst-region]instance 2 vlan 20
[LSW13-mst-region]active region-configuration
[LSW14]stp region-configuration
[LSW14-mst-region]region-name FB2
[LSW14-mst-region]revision-level 1
[LSW14-mst-region]instance 1 vlan 10
[LSW14-mst-region]instance 2 vlan 20
[LSW14-mst-region]active region-configuration
[LSW15]stp region-configuration
[LSW15-mst-region]region-name FB2
[LSW15-mst-region]revision-level 1
[LSW15-mst-region]instance 1 vlan 10
[LSW15-mst-region]instance 2 vlan 20
[LSW15-mst-region]active region-configuration
[LSW16]stp region-configuration
[LSW16-mst-region]region-name FB2
[LSW16-mst-region]revision-level 1
[LSW16-mst-region]instance 1 vlan 10
[LSW16-mst-region]instance 2 vlan 20
[LSW16-mst-region]active region-configuration
[LSW13]stp instance 1 priority 0
[LSW13]stp instance 2 priority 4096
[LSW14]stp instance 1 priority 4096
[LSW14]stp instance 2 priority 0

[LSW16-GigabitEthernet0/0/3]stp edged-port enable
[LSW15-GigabitEthernet0/0/3]stp edged-port enable
（3）配置vlan间路由
[LSW13]int Vlanif 10
[LSW13-Vlanif10]ip add 10.3.1.1 24
[LSW13-Vlanif10]int Vlanif 20
[LSW13-Vlanif20]ip add 10.3.2.1 24
[LSW13-Vlanif20]int Vlanif 10
[LSW13-Vlanif10]vrrp vrid 1 virtual-ip 10.3.1.254
[LSW13-Vlanif10]vrrp vrid 1 priority 200
[LSW13-Vlanif10]vrrp vrid 1 preempt-mode timer delay 60
[LSW13-Vlanif10]vrrp vrid 1 track interface g0/0/1 reduced 120
[LSW13-Vlanif10]int Vlanif 20
[LSW13-Vlanif20]vrrp vrid 2 virtual-ip 10.3.2.254
[LSW14]int Vlanif 10
[LSW14-Vlanif10]ip add 10.3.1.2 24
[LSW14-Vlanif10]int Vlanif 20
[LSW14-Vlanif20]ip add 10.3.2.2 24
[LSW14-Vlanif20]vrrp vrid 2 virtual-ip 10.3.2.254
[LSW14-Vlanif20]vrrp vrid 2 priority 200
[LSW14-Vlanif20]vrrp vrid 2 preempt-mode timer delay 60
[LSW14-Vlanif20]vrrp vrid 2 track interface GigabitEthernet 0/0/1 reduced 120
[LSW14-Vlanif20]int Vlanif 10
[LSW14-Vlanif10]vrrp vrid 1 virtual-ip 10.3.1.254

（4）配置全网路由
[LSW13]int Vlanif 17
[LSW13-Vlanif17]ip add 192.168.17.1 24
[LSW13-Vlanif17]quit
[LSW13]ospf 1 router-id 17.1.1.1
[LSW13-ospf-1]area 2
[LSW13-ospf-1-area-0.0.0.2]ne
[LSW13-ospf-1-area-0.0.0.2]network 192.168.17.0 0.0.0.255
[LSW13-ospf-1-area-0.0.0.2]network 10.3.1.0 0.0.0.255
[LSW13-ospf-1-area-0.0.0.2]network 10.3.2.0 0.0.0.255
[LSW13-ospf-1-area-0.0.0.2]qui
[LSW13-ospf-1]silent-interface Vlanif 10
[LSW13-ospf-1]silent-interface Vlanif 20
[LSW14]int Vlanif 18
[LSW14-Vlanif18]ip add 192.168.18.1 24
[LSW14-Vlanif18]quit
[LSW14]ospf 1 router-id 18.1.1.1
[LSW14-ospf-1]area 2
[LSW14-ospf-1-area-0.0.0.2]network 10.3.1.0 0.0.0.255
[LSW14-ospf-1-area-0.0.0.2]network 10.3.2.0 0.0.0.255
[LSW14-ospf-1-area-0.0.0.2]network 192.168.18.0 0.0.0.255
[LSW14-ospf-1-area-0.0.0.2]quit
[LSW14-ospf-1]silent-interface Vlanif 10
[LSW14-ospf-1]silent-interface Vlanif 20
[AR5]int g0/0/1
[AR5-GigabitEthernet0/0/1]ip add 192.168.17.6 24
[AR5-GigabitEthernet0/0/1]int g0/0/2
[AR5-GigabitEthernet0/0/2]ip add 192.168.18.6 24
[AR5-GigabitEthernet0/0/2]int g0/0/0
[AR5-GigabitEthernet0/0/0]ip add 50.1.1.6 24
[AR5]ospf 1 router-id 55.1.1.1
[AR5-ospf-1]area 2
[AR5-ospf-1-area-0.0.0.2]network 192.168.17.0 0.0.0.255
[AR5-ospf-1-area-0.0.0.2]network 192.168.18.0 0.0.0.255
[AR5]ip route-static 0.0.0.0 0.0.0.0 50.1.1.5
[AR5]ospf 1
[AR5-ospf-1]default-route-advertise
（5）源NAT地址转换
[AR5]acl 2000
[AR5-acl-basic-2000]rule permit source 10.3.0.0 0.0.255.255
[AR5]int g0/0/0
[AR5-GigabitEthernet0/0/0]nat outbound 2000

6.总校分校DSVPN配置：AR2作为hub端，AR4、AR5作为spoke端，三个接口配置在172.1.1.0网段
[AR2]int Tunnel 0/0/0
[AR2-Tunnel0/0/0]tunnel-protocol gre p2mp
[AR2-Tunnel0/0/0]ip add 172.1.1.1 24
[AR2-Tunnel0/0/0]source GigabitEthernet 0/0/2
[AR2-Tunnel0/0/0]nhrp entry multicast dynamic
[AR2-Tunnel0/0/0]ospf dr-priority 255 //调整优先级至最大，使其成为 DR
[AR4]int Tunnel 0/0/0
[AR4-Tunnel0/0/0]tunnel-protocol gre p2mp
[AR4-Tunnel0/0/0]ip add 172.1.1.3 24
[AR4-Tunnel0/0/0]source GigabitEthernet 0/0/0
[AR4-Tunnel0/0/0]nhrp entry 172.1.1.1 20.1.1.4 register
[AR4-Tunnel0/0/0]ospf network-type broadcast
[AR4-Tunnel0/0/0]ospf dr-priority 0
[AR5]int Tunnel 0/0/0
[AR5-Tunnel0/0/0]tunnel-protocol gre p2mp
[AR5-Tunnel0/0/0]ip add 172.1.1.2 24
[AR5-Tunnel0/0/0]source GigabitEthernet 0/0/0
[AR5-Tunnel0/0/0]nhrp entry 172.1.1.1 20.1.1.4 register
[AR5-Tunnel0/0/0]ospf network-type broadcast
[AR5-Tunnel0/0/0]ospf dr-priority 0

[AR2]ospf 1
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]network 172.1.1.0 0.0.0.255
[AR4]ospf 1
[AR4-ospf-1]area 0
[AR4-ospf-1-area-0.0.0.0]network 172.1.1.0 0.0.0.255
[AR5]ospf 1
[AR5-ospf-1]area 0
[AR5-ospf-1-area-0.0.0.0]network 172.1.1.0 0.0.0.255